To generate a CA certificate we will use the openssl command. It is supposed that the reader already set up the OpenSSL environment as explained in the section Installing and customizing OpenSSL.
The first step is to generate a private key based on the RSA asymmetric cryptographic system. The command to use is openssl genrsa whose man pages can be accessed by man openssl-genrsa.
root@myhost:~# cd /etc/ssl
root@myhost:/etc/ssl# openssl genrsa -out ./private/cakey.pem -aes256 4096
Enter PEM pass phrase: TYPE_YOUR_SECRET
Verifying - Enter PEM pass phrase: TYPE_YOUR_SECRET
Substitute TYPE_YOUR_SECRET with a long password of your choice, write it down on an hardware support (eg. paper), keep it in a safe and secured place, and do not share it with anyone. That is the most critical password you will have to manage.
Looking at the command, a length of 4096 bit was choosen for the key. As a general guideline, it is advisable to avoid shorter lengths for CA and server keys. Moreover, the modern AES-256 symmetric cipher was chosen to encrypt the CA key. The less modern triple DES algorithm can also be adopted (e.g., for compatibility reasons) in substitution of the AES-256 by using -des3 in place of -aes256.
Once the CA key is created, the private directory should look like this:
root@myhost:/etc/ssl# ls -la private/
total 20
drwx--x--- 2 root ssl-cert 4 Nov 16 16:49 .
drwxr-xr-x 9 root root 10 Nov 16 16:49 ..
-rw------- 1 root root 3434 Nov 16 16:50 cakey.pem
-rw-r----- 1 root ssl-cert 1704 Apr 24 2022 ssl-cert-snakeoil.key
Verify that the file cakey.pem has mode 600 permissions. If not, run chmod 600 ./private/cakey.pem to set it correctly. The private key will look like this:
root@myhost:/etc/ssl# cat ./private/cakey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJrTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI86leS/XCN0sCAggA
MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBC51sx73ZkYpaT4CCs5tRqQBIIJ
UF4l+1i8MtW4HMh+yk6OZtj8Mc/5+AAQgNlHPxDABleTPHYNlxowJntQKLyBxLKN
...
...
...
8uzR48om2qTSBzO2y7uxrdzR5DUAIxoOi2jsxUahTyze7eD+9P1MpFcq184JJbsA
HzhE46LcHqDf17qVW+mArfGW4bt6rvP1lP02ejD4tBVoRcRSP6d8FLP7BVoZ4LCB
XcW1r5bV++F/9zzJmtIih4gtHHfMowQxTNZ1j9RWzUh2
-----END ENCRYPTED PRIVATE KEY-----
Just for the sake of completeness, the public key can be obtained from the private key by running the following command. (this step is not needed for certificate creation)
root@myhost:/etc/ssl# openssl rsa -in ./private/cakey.pem -pubout
Enter pass phrase for ./private/cakey.pem: TYPE_YOUR_SECRET
writing RSA key
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA44qkEHNM2ck/odP6FLt2
hv0F1Hi0gGKJoHV1qPOJl0Uj6xsxg8ZN45r1IN216ziRXFoQL4/KpuQl1+RJj7jg
...
...
...
wI2iWhPKDdSNx7DQkuddCG9KnR1otr/f2LTn7IUG9HnXOiYWR3FfRtXzTlCxJvTm
qPxX6SACwCRnOqNBjKCyKz0CAwEAAQ==
-----END PUBLIC KEY-----
Now we can proceed to generate a X.509 certificate for our CA.
root@myhost:/etc/ssl# echo "01" > serial
root@myhost:/etc/ssl# echo "1001" > crlnumber
root@myhost:/etc/ssl# touch index.txt
root@myhost:/etc/ssl# openssl req -x509 -new -nodes -key ./private/cakey.pem -sha256 -days 7300 -out ./cacerts/cacert.pem
Enter pass phrase for ./private/cakey.pem: TYPE_YOUR_SECRET
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [California]:
Locality Name (eg, city) [San Francisco]:
Organization Name (eg, company) [My Company]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:My Company Root CA
Email Address [netadmin@mycompany.com]:
Since we defined some defaults in openssl.cnf, the only field we have to specifiy is the common name of the CA.
To show the characteristics of our CA certificate, the following command can be run.
root@myhost:/etc/ssl# openssl x509 -in ./cacerts/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
60:d6:7b:17:c3:1f:12:95:14:1d:50:90:a9:3b:ad:b1:e9:9d:2e:99
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = California, L = San Francisco, O = My Company, CN = My Company Root CA, emailAddress = netadmin@mycompany.com
Validity
Not Before: Nov 16 18:15:37 2022 GMT
Not After : Nov 11 18:15:37 2042 GMT
Subject: C = US, ST = California, L = San Francisco, O = My Company, CN = My Company Root CA, emailAddress = netadmin@mycompany.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:e3:8a:a4:10:73:4c:d9:c9:3f:a1:d3:fa:14:bb:
76:86:fd:05:d4:78:b4:80:62:89:a0:75:75:a8:f3:
...
...
d7:3a:26:16:47:71:5f:46:d5:f3:4e:50:b1:26:f4:
e6:a8:fc:57:e9:20:02:c0:24:67:3a:a3:41:8c:a0:
b2:2b:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
00:32:A8:49:BC:A0:EF:26:DA:50:D0:A4:E6:1C:B0:17:58:57:F6:1F
X509v3 Authority Key Identifier:
00:32:A8:49:BC:A0:EF:26:DA:50:D0:A4:E6:1C:B0:17:58:57:F6:1F
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
43:a1:59:20:89:e4:f4:d1:a6:ae:32:22:1e:e1:e4:da:71:f4:
84:af:98:8d:13:17:2a:4d:1f:0c:fa:f3:b4:b5:5e:51:bc:e6:
...
...
2a:8c:ac:3c:67:66:26:bb:1a:e1:12:67:70:79:b2:d5:51:9f:
c4:d7:32:e3:ba:ad:34:71:8d:cd:47:54:0d:82:90:b4:a0:12:
b6:f2:71:1f:99:4f:a7:73
Looking at the X509v3 extensions field, we can verify that our certificate is actually a CA certificate. Our CA certificate cacert.pem represents the public key, and it must be shared with everyone needing to authenticate our signatures.
The CA certificate can be installed system wide in client computers. In Ubuntu, and also in the most od modern linux distributiuons, the package ca-certificates is typically installed by default, so the system wide installation can be executed by running the following command.
root@myhost:/etc/ssl# cp ./cacerts/cacert.pem /usr/local/share/ca-certificates/MyCompany_CA.crt
root@myhost:/etc/ssl# update-ca-certificates
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@myhost:/etc/ssl# ls -la ./certs | grep MyCompany
lrwxrwxrwx 1 root root 16 Nov 17 10:21 7da1b24b.0 -> MyCompany_CA.pem
lrwxrwxrwx 1 root root 49 Nov 17 10:21 MyCompany_CA.pem -> /usr/local/share/ca-certificates/MyCompany_CA.crt
Notice that the command update-ca-certificates requires the certificate has .crt extension. As can be seen, the certificate is added to the /etc/ssl/certs direcotry and a symbolic link is also created. The name of the link is the hash of the certificate, that can be also obtained by running the command openssl x509 -hash -in /etc/ssl/cacerts/cacert.pem -noout.
In Microsoft Windows, the CA certificate can be installed system-wide by running certlm from an elevated Command Prompt or Power Shell. The certificate must be added to the Trusted Root Certification Authorities direcotry.
DISCLAIMER
The material and methods reported in Linux Admin Smart Guide, even if tested, are provided without any guarantee. All the commands are run as privileged (root) user, so it is highly recommended to try them first on non-production machines and, in any case, to always do backups first. Linux Admin Smart Guide is not responsible for any damage or data loss caused by misformulated commands or inadvertently launched commands.
To gain a root shell, run the command sudo su -l from the shell of a regular user who is included in the sudoers list, or simply the command su -l and then providing the root password.